“Ever since iOS 4 arrived, your device has been storing a long list of locations and time stamps,” Warden and Allen wrote. “We’re not sure why Apple is gathering this data, but it’s clearly intentional, as the database is being restored across backups, and even device migrations.”

Warden is providing an open source program “iPhone Tracker” for iPhone and 3G iPad customers to output their location file into an interactive map, like the one above, so they can see for themselves. All you have to do is plug in your iDevice through USB and run Warden’s application. The software requires OS X 10.6 (Snow Leopard).

The iPhoneTracker application features a sliding bar for users to see where they were in specific times of the year.

Apple did not immediately respond to a request for a comment. Apple has not previously disclosed that iPhones and iPads are constantly tracking and storing user location.

The discovery is the latest in a series of alarming incidents that serve as cautionary tales about privacy in the always-connected mobile era.

Recently, German politician and privacy advocate Malte Spitz sued his phone carrier Deutsche Telekom to get every piece of information it had about him. The carrier delivered to him a gigantic file containing 35,000 data points of his location for six months. Later, a German publication plotted Spitz’s data onto an interactive map.

This iPhone and iPad privacy leak is eerily similar, and creepier, considering that Apple has sold over 100 million iPhones and 15 million iPads.

The location data stored inside “consolidated.db” cannot be accessed by Safari or any apps, said Charlie Miller, a security researcher known for discovering vulnerabilities in the iPhone. However, the data file is sensitive because a thief who gains physical access to an iPhone or iPad could look at the file and see everywhere a customer has been, or a hacker could remotely break in and read the file, Miller said.

It’s not simple for a hacker to remotely access an iPhone to get to that file. But in the past, Miller found an exploit that would allow a hacker to hijack an iPhone just by sending a text message to it containing malicious code. Apple later patched that exploit, but security researchers say there are plenty of vulnerabilities in the wild left unaddressed.

Sharon Nissim, consumer privacy counsel of the Electronic Privacy Information Center, said it is possible Apple is violating the Wireless Communications and Public Safety Act, which allows telecom carriers to provide call information only in emergency situations.

“By asking for permission to collect location data, Apple may be trying to get around its legal obligations, by asking people to give up privacy rights they don’t even know they have,” Nissim said.

She added that a potential privacy concern is that law enforcement would be able to subpoena these types of records from people’s iPhones or iPads.

Here’s The Thing With Ad Blockers

We get it: Ads aren’t what you’re here for. But ads help us keep the lights on. So, add us to your ad blocker’s whitelist or pay $1 per week for an ad-free version of WIRED. Either way, you are supporting our journalism. We’d really appreciate it.